Sho Show Me the Money w Me the Money Characterizing - - PowerPoint PPT Presentation

sho show me the money w me the money
SMART_READER_LITE
LIVE PREVIEW

Sho Show Me the Money w Me the Money Characterizing - - PowerPoint PPT Presentation

Oct 11, 2023 835 likes •1.07k views

Sho Show Me the Money w Me the Money Characterizing Spam-advertised Revenue Nicholas Weaver Damon McCoy Chris Kanich Tristan Halvorson Christian Kreibich Kirill Levchenko Vern Paxson Geoffrey M. Voelker Stefan Savage UC San Diego

slide-1
SLIDE 1

1

Sho Show Me the Money w Me the Money

Characterizing Spam-advertised Revenue

Chris Kanich Nicholas Weaver Damon McCoy Tristan Halvorson Christian Kreibich Kirill Levchenko Vern Paxson Geoffrey M. Voelker Stefan Savage UC San Diego International Computer Science Institute UC Berkeley

slide-2
SLIDE 2
  • Spam fundamentally advertises goods for sale
  • spammer revenue = orders placed x revenue/order
  • Goal: Characterize this revenue

Spam Business Model

how much and from where

slide-3
SLIDE 3

Players in the Spam Economy

3

slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6

Studying affiliate programs

Oakland 2011 Click Trajectories study:

  • 969 Million spam emails analyzed
  • Identified all pharma, replica, software sites
  • Mapped sites to affiliate programs
  • Made multiple purchases per program
  • Showed relationship between affiliate

programs and banks

6

Levchenko et al. Click Trajectories: End-to-End Analysis of the Spam Value Chain IEEE Security and Privacy 2011

slide-7
SLIDE 7

Customer Service

  • Customer service email includes order ID#

7

482065, 483939, 496427 !

slide-8
SLIDE 8

Sequential Update Hypothesis

Each affiliate program has a single global counter implementing order number. When ordering from an individual Affiliate Program, order numbers are sequentially updated for each new order.

8

slide-9
SLIDE 9

Order Throughput Inference

9

slide-10
SLIDE 10

Affiliate Program coverage

10

66% of pharma spam 97% of downloadable software spam

slide-11
SLIDE 11

Dataset

156 orders over 2 months

11

slide-12
SLIDE 12

Validating sequential update hypothesis

  • Standard in popular cart implementations
  • Consecutive orders increment by one
  • Consistent across long term measurements
  • Time keying, time binning (see paper)

12

slide-13
SLIDE 13

Order Throughput Inference

13

slide-14
SLIDE 14

From orders to revenue

Revenue = # orders x average order price

  • Order completion rate
  • How many of each drug are ordered
  • Which drugs are ordered
  • Prior order estimates [Kanich et al., CCS 2008]
  • Absolute minimum cost item
  • Observed item distribution

14

slide-15
SLIDE 15

From orders to revenue

Consistent with Rx-Promotion CC processor data

15

slide-16
SLIDE 16

Product demand

  • Where are the customers?
  • What drugs are desired?
  • Ideally: full weblog data from Affilliate Program
  • Can we infer this from available information?

16

slide-17
SLIDE 17

Eva Pharmacy

17

752,000 distinct visitor IPs 3,089 distinct cart additions

slide-18
SLIDE 18

Everybody Visits…

18

75% of all customers in US 91% in Western Countries

slide-19
SLIDE 19

Basket Inference

19

71% “recreational” 29% non-recreational pharmaceuticals

slide-20
SLIDE 20

92% 8%

Non-US orders

Recreational Non-Recreational

Order composition

67% 33%

US orders

Recreational Non-Recreational

20

US visitors 4x more likely to select non-recreational drugs Than other Western visitors

slide-21
SLIDE 21

Conclusions

  • Order throughput estimates for 10 major

spam-advertised affiliate programs

  • Whole-program revenue estimates
  • $200K-$1.5M/month per program; $9.8M/month total
  • Location-based demand measurements
  • Western purchases dominate demand
  • US customers four times as likely to select

non-recreational pharmaceuticals

21

slide-22
SLIDE 22

Thank You!

Yahoo! 22